krb5 commit [krb5-1.12]: Let libgssapi see TGTs in the MSLSA cache

Tom Yu tlyu at mit.edu
Fri Sep 12 17:28:32 EDT 2014


https://github.com/krb5/krb5/commit/8aa1d7c7334f2928d12694c8f72f7b5bb5c8f1c7
commit 8aa1d7c7334f2928d12694c8f72f7b5bb5c8f1c7
Author: Ben Kaduk <kaduk at mit.edu>
Date:   Thu Aug 21 18:56:24 2014 -0400

    Let libgssapi see TGTs in the MSLSA cache
    
    When the current user is a local administrator of a windows machine
    where User Account Control (UAC) is enabled, the Windows LSA will
    return a block of zeros as the session key for any TGT entry in the
    MSLSA: cache.  The lcc_retrieve() implementation checks for such
    "null" session keys and prevents them from escaping to callers (as
    attempts to use them would encounger strange errors).  However,
    when the TGT is the only entry in the cache, this filtering prevents
    scan_ccache() from detecting that the cache contains non-expired
    credentials (and that there is a TGT present).
    
    Since scan_ccache() is only looking at metadata in the cache entries,
    and does not need to actually use any tickets or session keys, set
    the KRB5_TC_NOTICKET flag on the ccache before scanning it.  This
    will allow the MSLSA implementation to return a cred for the TGT
    entry and cause the GSSAPI credential selection algorithm to function
    properly.
    
    (cherry picked from commit 0794746f8d8e6b8ce3748d442d2bc1faecf960ce)
    
    ticket: 8013 (new)
    version_fixed: 1.12.3
    subject: gssapi.dll fails to detect TGTs in the MSLSA cache when UAC is enabled
    status: resolved

 src/lib/gssapi/krb5/acquire_cred.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index dd19b43..3cca20b 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -355,8 +355,9 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred)
     krb5_timestamp endtime;
     krb5_boolean is_tgt;
 
-    /* Turn off OPENCLOSE mode while extensive frobbing is going on. */
-    code = krb5_cc_set_flags(context, ccache, 0);
+    /* Turn off OPENCLOSE mode while extensive frobbing is going on.
+     * Turn on NOTICKET, as we don't need session keys here. */
+    code = krb5_cc_set_flags(context, ccache, KRB5_TC_NOTICKET);
     if (code)
         return code;
 


More information about the cvs-krb5 mailing list